TYPO USER_IN_DKIM_WHITELSIT in 60_whitelist_dkim.cf

Hi, I am running version 3.4.2 /usr/bin/spamassassin -V SpamAssassin version 3.4.2 running on Perl version 5.22.1 spamd --version SpamAssassin Server version 3.4.2 running on Perl 5.22.1 with SSL support (IO::Socket::SSL 2.024) with zlib support (Compress::Zlib 2.068) which spamd

Re: How do I search and capture text for use in a rule?

On 2021-05-07 10:33 AM, Henrik K wrote: On Fri, May 07, 2021 at 10:19:49AM -0400, Steve Dondley wrote: I want to extract the first part of an email address from the "Delivered-To" header and use it witin a custom rule. Example pseudo code: my ($first_part) = $email_file =~

How do I search and capture text for use in a rule?

I want to extract the first part of an email address from the "Delivered-To" header and use it witin a custom rule. Example pseudo code: my ($first_part) = $email_file =~ /^Deliver-To: (.*)/; body __LOCAL_AWKWARD_INTRO /hi $first_part/i How can I do this in my .cf file?

Re: More fake order spam

On 2021-04-27 03:03 PM, Dave Wreski wrote: Invalid List-ID. You can then use that with other weirdness in a meta. header    __LIST_ID_DOMAIN_IN_BRACKETS List-id =~ /<([\w-]+)(\.[\w-]+)+>/ meta   LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID && !__LIST_ID_DOMAIN_IN_BRACKETS score 

Re: More fake order spam

On 2021-04-27 02:23 PM, Reindl Harald wrote: Am 27.04.21 um 19:57 schrieb Steve Dondley: On 2021-04-27 01:19 PM, Dave Wreski wrote: Investigate adding the SEM_FRESH rules - this domain was created less than five days ago. https://spameatingmonkey.com/services OK, how do I get those rules

Re: More fake order spam

On 2021-04-27 01:19 PM, Dave Wreski wrote: -2.5 RCVD_IN_HOSTKARMA_W    RBL: Sender listed in HOSTKARMA-WHITE [185.41.28.7 listed in hostkarma.junkemailfilter.com] We've reduced this score to -1 locally. -1.0 BAYES_00   BODY: Bayes spam probability is 0

Re: More fake order spam

On 2021-04-27 01:12 PM, Greg Troxel wrote: As always, if you have a problem stemming from a dns-based or similar reputation list, you need to report problems to those lists. If you aren't running greylisting with aggressive delays for SBL/XBL and moderate for dialup, do that too. What does

More fake order spam

Got this: https://pastebin.com/Gfz951dh Spam report: Content analysis details: (-2.3 points, 5.0 required) pts rule name description -- -- -2.5 RCVD_IN_HOSTKARMA_WRBL: Sender listed in

Re: Getting "config: registryboundaries: no tlds defined, need to run sa-update" message when running mass-check

On 2021-04-25 01:47 PM, Henrik K wrote: On Sun, Apr 25, 2021 at 01:28:31PM -0400, Steve Dondley wrote: > mass-check -c parameter expects to find every config file in that single > directory. Now it's missing spamassassin updates and specifically > 20_aux_tlds.cf from there. You c

Re: Getting "config: registryboundaries: no tlds defined, need to run sa-update" message when running mass-check

spamassassin -V reports: "SpamAssassin version 3.4.4" I imagine I have to checkout an older 3.4.4 point version from SVN and use the mass-check command from that. It's been ages since I've used SVN. How can I get to the older version via SVN? I solved this by downloading version 3.4.4 of

Re: Getting "config: registryboundaries: no tlds defined, need to run sa-update" message when running mass-check

> On Apr 25, 2021, at 1:31 PM, Axb wrote: > > What are you trying to do? > run masscheck for your rules or for the SA project? I’m experimenting with writing my own rules. My machines are using SA 3.4.4 so I want to use the 3.4.4 rules.

Re: Getting "config: registryboundaries: no tlds defined, need to run sa-update" message when running mass-check

mass-check -c parameter expects to find every config file in that single directory. Now it's missing spamassassin updates and specifically 20_aux_tlds.cf from there. You could copy it to /etc/spamassassin temporarily, but I'd rather make a completely separate directory that should include

Getting "config: registryboundaries: no tlds defined, need to run sa-update" message when running mass-check

I'm running this command: ./mass-check -n --rules='^LOCAL_AWK_INTRO' -o ham:dir:/spam/Maildir/.INBOX* -c=/etc/spamassassin/ | grep '. 1' Everything appears to work as expected but I'm getting this warning/error when I do: "config: registryboundaries: no tlds defined, need to run

Re: Two different machines running same versoin of SA giving different scores for scores that are commented out

On 2021-04-25 10:19 AM, RW wrote: On Sun, 25 Apr 2021 00:40:59 -0400 Steve Dondley wrote: On both machines, /usr/share/spasmassassin/72_active.cf has this rule which is commented out: This is the legacy rule directory from before sa-update existed. Have you not got another directory

Re: Two different machines running same versoin of SA giving different scores for scores that are commented out

On 2021-04-25 05:57 AM, Reindl Harald wrote: Am 25.04.21 um 07:09 schrieb Steve Dondley: That rule has this line in the 72_active.cf file: Look in 72_scores.cf and compare the modification dates on that file. Their scores as of today (saturday): 72_scores.cf:score FSL_BULK_SIG

Re: Two different machines running same versoin of SA giving different scores for scores that are commented out

On 2021-04-25 01:00 AM, John Hardin wrote: On Sun, 25 Apr 2021, Steve Dondley wrote: I'm running the same version of SA on the same email on two different machines and getting different scores in for some rules in the report: Machine A gives: 0.0 FSL_BULK_SIG Bulk signature

Two different machines running same versoin of SA giving different scores for scores that are commented out

I'm running the same version of SA on the same email on two different machines and getting different scores in for some rules in the report: Machine A gives: 0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe Machine B gives: 1.0 FSL_BULK_SIG Bulk signature with no

Re: Script or command for testing new rules to ensure new rules don't generate false positives/negatives?

And if you want to test your rules against a corpus rather than testing against a few one-off spamples, then look into setting up a local masscheck instance. You don't need to upload the results to SA, but it will give you a good overview of how a rule behaves against multiple messages. I'm

Re: Script or command for testing new rules to ensure new rules don't generate false positives/negatives?

On 2021-04-23 05:41 PM, Martin Gregorie wrote: On Fri, 2021-04-23 at 16:28 -0400, Steve Dondley wrote: I'm experimenting with writing a library of my own SA rules and scores. I do this on a separate computer, which has Spamassassin installed but not linked into anything else. It also has

Script or command for testing new rules to ensure new rules don't generate false positives/negatives?

I'm experimenting with writing a library of my own SA rules and scores. I'd like to be sure that the rules I write don't turn ham into spam and vice versa. I figured the best way to do this would be to run SA against an existing collection of ham and spam to make sure emails are still scored

Re: Why single periods in regex in spamassassin rules?

On 2021-04-23 01:37 PM, Henrik K wrote: On Fri, Apr 23, 2021 at 01:03:33PM -0400, Steve Dondley wrote: I'm looking at KAM.cf. There is this rule: body__KAM_WEB2 /INDIA based IT|indian.based.website|certified.it.company/i I'm wondering if there is a good reason why a singe period is used

Re: how to disable spamcheck for Outgoing mail

On 2021-04-23 01:02 PM, mau...@gmx.ch wrote: > Hello > > Please how its possible to disable the spam check from sending mails from > "privat to public" network? > > I was realy thinking if enable the trusted network this will pass over. > > trusted_networks 192.168.28. > > thanks

Why single periods in regex in spamassassin rules?

I'm looking at KAM.cf. There is this rule: body__KAM_WEB2 /INDIA based IT|indian.based.website|certified.it.company/i I'm wondering if there is a good reason why a singe period is used instead of something like \s+ which would catch multiple spaces whereas a singe period doesn't.

Re: SA seems powerless against marketing emails for SEO/web development

I could add another point between BAYES_999 and BAYES_99 scores but that seems reactionary. Is there a better way? Should I thrown in another point for certain keywords in marketing emails like these? add score to tags that score possitive 0.0 until it gives 5.0 and above I like this

Re: SA seems powerless against marketing emails for SEO/web development

On 2021-04-22 02:31 PM, Matus UHLAR - fantomas wrote: On 22.04.21 14:21, Steve Dondley wrote: pts rule name description -- -- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org

SA seems powerless against marketing emails for SEO/web development

For whatever reason, solicitations from marketers for various web development services are easily slipping through my defenses. I figured bayes filtering would eventually do the job but after a reporting them for many days now, I'm still getting like 3 to half dozen a day. Here's one example:

Re: DCC license

The DCC FAQ at https://www.dcc-servers.net/dcc/FAQ.html#license describes the definitive ways to get any questions answered regarding DCC licensing. Any answers you could get here would be conjecture and anecdote. I found a form on their website for licensing questions. Waiting to hear

DCC license

Sorry if this is a bit off-topic. I'm looking into installing DCC (Distributed Checksum Clearninghouse) software. The page at https://www.dcc-servers.net/dcc/INSTALL.html says: "The free license is intended to cover individuals and organizations including Internet service providers using

Re: pyzor

On 2021-04-21 11:00 AM, Eric Broch wrote: Does anyone one have a solution to this: spamd[]: pyzor: check failed: internal error, python traceback seen in response I have this in my local.cf #pyzor use_pyzor 1 pyzor_path /usr/bin/pyzor I don't have this in my config at all. Maybe you are

Spoofed amazon order email

First, thanks to everyone on the list how has given me a hand over the past couple of weeks as I get my "sea legs" with spamassassin. It's working well for me now but I obviously still have more to learn. For one, I'm still uncertain on the best way to fine tune SA to beat back some tricky

Re: DNSWL overriding bayes_99 and bayes_999 rules

On 2021-04-12 03:11 AM, Matthias Leisi wrote: > -2.0 RCVD_IN_DNSWL_HI RBL: Sender listed at > https://www.dnswl.org/, > high trust > [203.160.71.180 listed in list.dnswl.org [1]] I looked up this, and the other > one, and didn't find them in dnswl. As > others said, if you are using

Re: Using spamassassin to thwart sharepoint phishing attacks

However, in 50_scores.cf, this line is commented out: #score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5 Maybe that's the problem? no, there are other SORBS lists used: score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2 score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2 score RCVD_IN_SORBS_MISC 0 # n=0

Re: Using spamassassin to thwart sharepoint phishing attacks

sorbs dnsbl missing, have you denied sorbs.net results ?, or is spamassassin not testing sorbs.net anymore ? Best I can tell, my SA config should be testing for sorbs. I've got this line in /etc/spamassassin/v3220.pre: loadplugin Mail::SpamAssassin::Plugin::DNSEval And in

Re: Using spamassassin to thwart sharepoint phishing attacks

Also, I've heard of sorbs over the years but I'm not sure exactly what it is. Is this the same block list run by Cisco? OK, I was getting SORBS confused with SenderBase Reputation Score (SBRS). That's the one run by Cisco, I believe. I actually have an account on the SORBS website that I

Re: Using spamassassin to thwart sharepoint phishing attacks

sorbs dnsbl missing, have you denied sorbs.net results ?, or is spamassassin not testing sorbs.net anymore ? How would I check if it's turned on? I tried grepping in /etc/spamassassin on "sorb" (case insensitive) and found nothing. So I guess it's not in my default config. I see many

Re: Is pyzor recommended by folks on this list?

Second, I'm not sure if my tests will work on my spam samples which have the spam encapsulated with the "report_safe" setting set to a value of "1". I wouldn't expect it to work at all. "report_safe" encapsulation creates a new email which isn't a spam. From what I read on pyzor's home

Re: Using spamassassin to thwart sharepoint phishing attacks

On 2021-04-11 04:19 PM, Benny Pedersen wrote: On 2021-04-11 22:09, Steve Dondley wrote: Content analysis details: (4.4 points, 5.0 required) pts rule name description -- -- 3.5 BAYES_99

Using spamassassin to thwart sharepoint phishing attacks

I've received about a dozen phishing attack emails from Microsoft's sharepoint service within the last couple of weeks. Only one of them was identified by SA as spam. After running the emails through sa-learn, they still only score a 4 to 4.5. But I could see that it would be easy for these

Re: Is pyzor recommended by folks on this list?

On 2021-04-11 03:09 PM, Bill Cole wrote: On 11 Apr 2021, at 13:21, Steve Dondley wrote: value of "1". By the way, anyone know of a CLI utility for extracting the original spam email from these files? spamassassin -d < wrappedspam.eml Ah, ok. I was familiar with the -d o

Re: Is pyzor recommended by folks on this list?

value of "1". By the way, anyone know of a CLI utility for extracting the original spam email from these files? Here's a very crude perl script that does the trick: #!/usr/bin/perl use strict; use warnings; my $email; while (<>) { $email .= $_; } my ($boundary) = $email =~

Re: Is pyzor recommended by folks on this list?

On 2021-04-11 09:34 AM, Benny Pedersen wrote: On 2021-04-11 15:13, Steve Dondley wrote: What do you think? pyzor is usefull if running pyzord localy, design of pyzor was imho ment to be local pyzord and have the pyzor client query local, but pyzord could be get results from other pyzord

Is pyzor recommended by folks on this list?

I just installed pyzor and did a random spot check of about 10 spam emails to try to evaluate it using this command: pyzor check < some_spam Only one message gave me a hit on pyzor. But I take my results with a grain of salt because I may not have pyzor configured optimally. For one, I'm

Re: Spamassassin reporting IP address is whitelisted by DNSWL.org but DNSWL.org reports it is not

On 2021-04-10 03:20 PM, Bill Cole wrote: On 10 Apr 2021, at 14:53, Steve Dondley wrote: I'm very, very sorry to beat a dead horse, but I'm deeply confused by the "RCVD_IN_DNSWL_HI" rule which appears to be reporting incorrectly on my system. STOP USING ANY PUBLIC DNS RESOLVERS WIT

Spamassassin reporting IP address is whitelisted by DNSWL.org but DNSWL.org reports it is not

I'm very, very sorry to beat a dead horse, but I'm deeply confused by the "RCVD_IN_DNSWL_HI" rule which appears to be reporting incorrectly on my system. I ran this command: sudo -u s -- spamassassin -t -d < some_email It gives me this report: pts rule name description

Re: DNSWL overriding bayes_99 and bayes_999 rules

You should fix URIBL_BLOCKED first. You need a local, caching, non-forwarding DNS server for SpamAssassin. Yeah, setting up a DNS server for SA is on my todo list. Thanks. When you say local, it doesn't have to be on the same machine as spamassassin, does it? I assume I can have the DNS

Re: DNSWL overriding bayes_99 and bayes_999 rules

It would be helpful to post an entire actual set of headers -- unmodified -- along with the spamassassin -t report. I can't figure out (from what you posted) the IP address of the server that was in DNSWL_HI that delivered mail to your internal/trusted network. OK, here is the entire output

Re: DNSWL overriding bayes_99 and bayes_999 rules

On 2021-04-10 12:10 PM, Greg Troxel wrote: Steve Dondley writes: Here are the headers from some egregious spam. It scored a whopping 20.8 point despite being flagged with "RCVD_IN_DNSWL_HI." Return-Path: Delivered-To: s...@example.com Received: from email.e

Re: DNSWL overriding bayes_99 and bayes_999 rules

I have been looking at this issue a little more. I just grepped my spam folder. Out of 1000 emails I have flagged as spam, 321 have been flagged with RCVD_DNSWL_HI, a rule which adds -5 points to the eamil. That's almost 1 out of 3 emails which seems pretty insane. Here are the headers from

Re: DNSWL overriding bayes_99 and bayes_999 rules

On 2021-04-06 11:48 AM, Steve Dondley wrote: I have emails that have been flagged as spam in the past but that are still getting through, presumably because the servers are on some DNSWL. Example: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999, DATE_IN_PAST_03_06

Re: Getting different SA scores when using -R argument with spamc

It can only do so if report_safe is set to 0. With non-zero report_safe settings, the original mail is encapsulated as an attachment inside a wrapper message also including the report. That wrapper message containing the SA report is "safe" because it is fully local, the text/plain part won't

Re: Getting different SA scores when using -R argument with spamc

On 2021-04-06 04:19 PM, Steve Dondley wrote: It seems to have done so. Thank you. Some MUAs have a "Reply to List" function that uses the List-Post header (and sometimes heuristics when that header is missing) to send replies only to a list itself. I've recently switched to Roun

Re: Getting different SA scores when using -R argument with spamc

Some MUAs have a "Reply to List" function that uses the List-Post header (and sometimes heuristics when that header is missing) to send replies only to a list itself. Ah! I see that option now under the little down arrow next to "Reply all". My day is made. Thanks!

Re: Getting different SA scores when using -R argument with spamc

It seems to have done so. Thank you. Some MUAs have a "Reply to List" function that uses the List-Post header (and sometimes heuristics when that header is missing) to send replies only to a list itself. I've recently switched to Roundcube from gmail. I didn't see that option but I think

Re: Getting different SA scores when using -R argument with spamc

On 2021-04-06 02:55 PM, Steve Dondley wrote: On 2021-04-06 02:32 PM, Bill Cole wrote: PLEASE NOTE: I read the mailing list obsessively and DO NOT NEED (or want) the extra copies sent when you send both to me and to the list. Sorry, I still haven't figured out how to properly respond. When I

Re: Getting different SA scores when using -R argument with spamc

On 2021-04-06 02:32 PM, Bill Cole wrote: PLEASE NOTE: I read the mailing list obsessively and DO NOT NEED (or want) the extra copies sent when you send both to me and to the list. Sorry, I still haven't figured out how to properly respond. When I hi "reply all" it cc's the list and sends to

Re: Getting different SA scores when using -R argument with spamc

Can you provide a working example message AND the operative user prefs? OK, I was being very stupid. It finally dawned on me that the SA scores that appeared above the message body and below the headers when spamc was run without the -R option were SA scores embedded in the message by the

Getting different SA scores when using -R argument with spamc

When I run spamc without -R option like this: spamc -u some_user < some_email I get the following output: This is a multi-part message in MIME format. Content analysis details: (5.2 points, 5.0 required)

DNSWL overriding bayes_99 and bayes_999 rules

I have emails that have been flagged as spam in the past but that are still getting through, presumably because the servers are on some DNSWL. Example: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999, DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,

What makes this email spam and how do I train myself to find markers for spam so I can train spamassassin properly?

The email below slipped through my spam filter. It has malicious content attached which purports to be a voicemail from comcast (I've snipped the attachment from the example) but it is actually a phishing attack. The attachment contains a link that goes to a web page at an obscure domain that

Why no points for SPF_NONE?

I'm learning a bit about spamassassin rules and taking a peek at how my inbound mail is scored. I noticed that PF_NONE scores zero points by default. I'm wondering if there is a good reason for not giving it a score and whether I should set that to something much higher like 1.0. I'm curious

Re: Workflow for adding new ham/spam to existing site-wide database?

You covered a lot of ground here. Thanks.. If you have some spare cycles, I have follow up questions to get an understanding of how you process your email: 21 seconds at that includes fetch the samples via imap from two folders, fire them against a bayes-only spamassasin instance, What is a

Workflow for adding new ham/spam to existing site-wide database?

I have been accumulating spam/ham samples and sorting them out into different directories on my server. As new spam/ham comes in, I throw it into the existing pile and then run "sa-learn --spam|--ham" on the whole pile. It dawned on me that this will get very slow as I eventually collect

Scoring for "look alike" characters in subject?

I'm noticing a fair amount of spam getting through using letters in the subject line that are outside the standard set of ASCII characters in an effort to bypass spam filters. For example, instead of a capital "R", there will be a letter that closely approximates a capital "R" but when you

Re: Can a .spamassassin directory in a user's home directory override the site-wide configuration?

OK, thanks for the additional info. It looks like I was having a permissions issue and the bayes_* files were not both r/w for users despite having bayes_file_mode set to 0666. I'm thinking probably because the bayes_path was originally created manually with root. spamassassin reads site-wide

Can a .spamassassin directory in a user's home directory override the site-wide configuration?

I'm learning to understand how to properly set up a site-wide bayes database on my server. Thanks for everyone's help and patience so far. I've discovered that the SA score assigned to a user's incoming email is different than the SA score run through the "spamc" or "spamassassin" command.

Re: How do I determine if user's email is being checked against the side-wide database?

Are there any BAYES hits on their messages, ham or spam? BAYES_{not 50} would be a positive confirmation. I'm not sure offhand if BAYES_50 hits when bayes is enabled but insufficiently trained... In one email, I'm seeing this: 3.0 BAYES_95 BODY: Bayes spam probability is 95 to

How do I determine if user's email is being checked against the side-wide database?

I *think* I now I have site-wide bayes filtering working now for all users on a server. I've edited /etc/spamassassin/local.cf to include "bayes_path" and "bayes_file_mode" and I don't see any errors about permissions being wrong from debian-spamd in mail.log. But rather than guessing, I'm

How do I efficiently share a database with all users?

I have a few different mail servers. I harvest mail from the servers and periodically sort them into ham/spam folders and then share the sorted mail back out to the servers and run sa-learn on each of the servers to coach spamassassin. After doing this a few days, I notice that stuff that I

Re: Training spamassassin past 5,000 emails

On 2021-03-09 08:28 AM, Greg Troxel wrote: Steve Dondley writes: I've read through https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html which states that "anything over about 5000 messages does not improve accuracy significantly in our tests." I would take that with a gra

Training spamassassin past 5,000 emails

I've read through https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html which states that "anything over about 5000 messages does not improve accuracy significantly in our tests." So once I hit 5,000, what do? Do I run --forget on say the 500 oldest emails, delete those from my

Re: Upgrading from 3.4.2 to 3.4.5, how to

on this documentation page: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/UpgradingVersion "If you install using a Linux package installer: Debian unstable: apt-get install spamassassin " what is the meaning of "unstable" ? it sounds scary, like the package should not be run in live

Re: Upgrading from 3.4.2 to 3.4.5, how to

I'm sorry, but I do not understand your message. I thought an upgrade fixes bugs. Maybe you are thinking about an update, which seems like it would updates rules in *.samples? I would "like" to backup everything, for safety, that is why I included a list of the directories (fodlers) which I

Re: Upgrading from 3.4.2 to 3.4.5, how to

are these the important folders which need to be backed up? PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin and... /var/lib/spamassassin/3.004002 does that match to SA version 3.4.2 ? I see 3.00... and think, NO that

Upgrading from 3.4.2 to 3.4.5, how to

Hi, I am running version 3.4.2 /usr/bin/spamassassin -V SpamAssassin version 3.4.2 running on Perl version 5.22.1 spamd --version SpamAssassin Server version 3.4.2 running on Perl 5.22.1 with SSL support (IO::Socket::SSL 2.024) with zlib support (Compress::Zlib 2.068) which spamd

Re: BITCOIN_PAY_ME and new type of blackmail, non porn.

I’m seriously thinking about doing the same (block all emails that contain a bitcoin address). I’ve had good luck with my custom rule that also tests for Unicode obfuscation: body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/ body__BTC2

Re: Bitcoin update

> The trouble with this is that you would be adding 10 point to anything > with a bitcoin address whether anything's obfuscated or not. If you want > to avoid this take a look at the FUZZY_* rules. Well, actually, no. I sent you a snippet of my rule and inflated the score to 10 for

Re: Bitcoin update

Yes, absolutely. On 10/5/18, 1:42 PM, "John Hardin" wrote: On Fri, 5 Oct 2018, Zinski, Steve wrote: > Here's how I'm blocking bitcoin emails with Unicode characters embedded: > > body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/

Re: Bitcoin update

Here's how I'm blocking bitcoin emails with Unicode characters embedded: body__BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/ body__BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i body__BTC3 /\b\W*b\W*t\W*c\W*\b/i body__BTC4

Re: Using UTF-8 characters to avoid spam filter rules.

now filter on a bitcoin regex (see below) and some other words such as “pixel”, “virus”, etc. which are always a part of the sextortion message. body __BITCOIN /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/ Steve From: Mark London Date: Thursday, June 28, 2018 at 2:26 PM To: "

Fwd: Increase scores based on lewd body text

Didn't cc users@ How do I add a non sa-compile ruleset to spamassassin? The googles are not helping. on Ubuntu16 Steve On Tue, May 1, 2018 at 7:52 PM, Kevin A. McGrail <kmcgr...@apache.org> wrote: > I have several rules for sexually explicit content in KAM.cf. See > https://

Increase scores based on lewd body text

dy text and/or is there a recipe specifically for that type of thing? Steve

Re: new campaign: bitly & appengine.google

Report to – supp...@bitly.com On 9/12/17, 1:29 PM, "Benny Pedersen" wrote: Chip M. skrev den 2017-09-12 15:28: > > Does anyone have a contact at BitLy? These would be trivially > easy for them to block.

Re: Custom rule problem

Sorry for the trouble, everyone… I had been forwarding the spam through my personal IMAP account (to test my rule) which was apparently blocking it. I forwarded it using my gmail account and my new rule fired. I feel like an idiot. Steve On 1/31/17, 2:53 PM, "John Hardin" <jhar.

Re: Custom rule problem

Here’s the “view source” of the message in question. http://pastebin.com/AnwkAf9t Again, it’s line 88 that I’m trying to match. Thanks. On 1/31/17, 11:36 AM, "John Hardin" <jhar...@impsec.org> wrote: On Tue, 31 Jan 2017, Zinski, Steve wrote: > I’m trying to

Custom rule problem

Hello, I have a problem that I hope someone can help me with. I’m trying to write a custom rule to block a certain type of spam. When I view the message source, the very last lines of the spam look like this: http://trc.spammersdomain.com/redirect.php?email=redac...@richmond.edu;> Every

Re: RCVD_IN_SORBS_SPAM and google IPs

I’m seeing the same thing here, I’ve had to adjust that score lower. Also seeing lots of RCVD_IN_SORBS_WEB false-positives. On 9/8/16, 4:53 PM, "Shane Williams" wrote: Hey all, I'm seeing google IP ranges hit the RCVD_IN_SORBS_SPAM rule, and in digging

Re: Spamassassin Bayes... "why give that spam that score???"

On 24/02/2016 22:59, John Hardin wrote: On Wed, 24 Feb 2016, Steve wrote: I've used spamassassin for many years - on Ubuntu, using amvisd - with great success. In recent months, I've been receiving several spam messages each day that evade the filters. Can you provide samples? (e.g. three

Spamassassin Bayes... "why give that spam that score???"

I've used spamassassin for many years - on Ubuntu, using amvisd - with great success. In recent months, I've been receiving several spam messages each day that evade the filters. * These false-negatives conform to a handful of simple, formulaic, textual forms - on common subjects. * The

A rule to check X-ASN header

uit=no autolearn=no X-Spam-ASN_RV: AS15169 74.125.0.0/16 X-Spam-ASN_SASM4: AS15169 X-Spam-ASN_SEM: AS15169 74.125.0.0/16 SPF_PASS=-0.001,TXREP=-1.021,T_DKIM_INVALID=0.01,T_SCS_ASN_ANYTHING=0.01, T_SCS_ASN_EXISTS=0.01 Any advice gratefully received! Steve

Re-2: A rule to check X-ASN header

ide net yet). > asn is nice but too unstable to make rules on I feel its worth exploring for my purposes. Any further advice will be grafefully recived. Regards Steve Original Message Subject: Re: A rule to check X-ASN header (23-Nov-2015 12:13) From:Benny Pede

Re-4: A rule to check X-ASN header

> steve skrev den 2015-11-23 13:31: > > >>> asn plugin currently does not work with ipv6 > > I'll cross that bridge when I come to it. > > i just still need self to debug why it fails, currently i have seen > 2.0.0.0/8 when ipv6 recieved in 26xx: :=) >

Re-4: A rule to check X-ASN header

t; > a meta rule with rcvd header and From: header rules will do the trick, > faster and simpler. > Good thinking. I'll investigate this futher. Thanks Steve

Re-2: A rule to check X-ASN header

ed from 217.199.161.224 (ASN 20738 - Webfusion Internet Solutions) and had *google* in the domain, to me that's something I want to have visability of. Overall, while i appericate your efforts and discussions about the validatility of my objectives, what I'm really after is how can I query the X-ASN header? If this turns out to be a waste of time I'll be the first to let you know. Many thanks Steve

Re-2: A rule to check X-ASN header

e following adjustment and the rule is now being triggered. header T_SCS_ASN_AS15169CX-ASN =~ /^15169$/ As to whether this will be helpful in detecting spam I'll let you know. Kind regards Steve

Re-6: A rule to check X-ASN header

> steve skrev den 2015-11-23 15:43: > > > That was just one example I received. Yes, you can very well use > > google.junc.en and no that doesn't mean Google spams me. > > > > My eventual goal is to test for "Has google in the sender name OR > > domai

Large spam

We're starting to see a lot of spam in the 800KB to 1.2MB size range. I’m running MIMEdefang and it’s configured to skip messages larger than 100KB (and I hesitate to increase the limit due to performance issues). I read somewhere that there’s a way to have MIMEdefang (or spamassassin) strip

Re: Detecting macros in word files

(which is what we do here). Kind regards, Steve.

Re: spamassassin detailed logging

!44f21c66bf985efa445526f7e5426264e223ecff488eaa8bff906b038bd86b39d466c13d9b768944b8a292c509c16656!@***.**.org,autolearn=disabled,lastexternal=198.246.200.77,envfrom=@***.**.org,haraka-uuid=13C5EA99-2D43-4D08-B813-7A6889C6D8D0.1 Kind regards, Steve. Haraka.pm Description: Perl program loadplugin Mail::SpamAssassin::Plugin::Haraka Haraka.pm ifplugin Mail

Re: spamassassin detailed logging

On 19/06/15 16:57, Steve Freegard wrote: spamd will already log the envfrom= line provided it has this information passed through from whatever calls it. I send it over via a X-Envelope-From: (see 'envelope_sender_header' in man Mail::SpamAssassin::Conf). Actually - I'm talking rubbish; I

ham source for site-wide bayes?

spamassassin in the first place :) I can't find anything in spamassassin docs so far that explains a non-manual way of supplying ham. Have I missed something? Is there some sort of service where I can subscribe to an updated ham corpus automatically like with the clamav database? -Steve

  1   2   3   4   5   6   >